Publish date: 27.05.25

Tata Consultancy Services (TCS), the principal technology partner to Marks & Spencer (M&S) since 2018, has launched an internal investigation to determine whether it was the initial access point in a recent cyberattack that severely disrupted M&S’s digital operations. The move follows comments by M&S CEO Stuart Machin, who attributed the incident to "human error" stemming from a third-party contractor, rather than a systemic failure within M&S's core infrastructure or security architecture.

TCS has played a critical role in the digital transformation of M&S, delivering core IT services including infrastructure management, application development, cloud migration, and digital customer engagement platforms. This deep integration with M&S’s operational and customer-facing systems inherently positions TCS as a privileged partner with extensive access across systems—making them a potential vector for attackers looking to exploit third-party trust relationships. While TCS has not yet been confirmed as the breach point, the nature of their access and the level of control they exert over IT assets make them a focal point of scrutiny.

The breach, linked to the cybercriminal group Scattered Spider, resulted in the exfiltration of customer data and led to a major outage of M&S’s online clothing platform for over three weeks, in addition to disruption of food-related and digital services. The incident has been financially significant, triggering an estimated £750 million drop in market capitalisation and potential operating losses of up to £300 million, as acknowledged in M&S’s FY2025 annual report. UK authorities have also initiated a parallel criminal investigation into the breach.

TCS aims to conclude its internal inquiry by the end of the month, per reports from the Financial Times. While TCS also services other UK-based clients such as Co-op, no investigation is currently underway regarding the Co-op breach, as TCS’s involvement in their IT infrastructure was reportedly limited.

This attack highlights a growing concern for CISOs and CIOs: the widening cyber risk aperture across complex supply chains. As organisations deepen their integration with third-party service providers and technology partners, the security posture of these collaborators becomes a direct extension of the enterprise itself. A breach in any link of the supply chain—whether due to compromised credentials, social engineering, or misconfigured endpoints—can expose critical business systems and customer data. As such, continuous monitoring, shared accountability frameworks, and zero trust principles across vendor ecosystems are now essential components of any mature cybersecurity strategy.

Moreover, this incident underscores the critical need for robust, integrated threat detection and response capabilities. Extended Detection and Response (XDR) offers organisations a unified approach to aggregating telemetry across endpoints, networks, servers, and cloud workloads, thereby enabling faster correlation, threat identification, and automated mitigation. For enterprises like M&S and their technology partners, implementing XDR can provide enhanced visibility into lateral movement across the digital estate and reduce the mean time to detect and respond to sophisticated threats—especially those exploiting social engineering vectors or third-party vulnerabilities.

The breach at M&S follows a similar event disclosed by Adidas, where a third-party customer service provider was exploited to gain unauthorised access to customer data. In Adidas’s case, no financial or password data was compromised, but the incident nonetheless required immediate containment, forensic investigation, and communications out to customers.

As threat actors increasingly target trusted third parties to infiltrate high-value enterprises, organisations must properly assess vendor risk and adopt a multi-layered defence strategy that blends staff training and vigilance with AI-driven threat analytics and automated response.

How Xeretec can help

Xeretec is a trusted cybersecurity partner to some of the UK’s largest retailers and enterprise organisations. With a deep understanding of the retail sector’s digital architecture and threat landscape, we deliver tailored, end-to-end protection through leading-edge Barracuda XDR solutions. When security is business-critical, trust Xeretec to safeguard your digital ecosystem with precision, intelligence, and resilience.

Contact us today to see how we can help you stay ahead of threats—whether they originate inside your network or via a third-party.